Cryptanalyzing the Polynomial-Reconstruction based Public-Key System Under Optimal Parameter Choice

Cryptanalyzing the Polynomial-Reconstruction based

Public-Key System Under Optimal Parameter Choice

Aggelos Kiayias∗ _{Moti Yung}†

Abstract

Recently, Augot and Finiasz presented a coding theoretic public key cryptosystem that suggests a new approach for designing such systems based on the Polynomial Reconstruc-tion Problem. Their cryptosystem is an instantiaReconstruc-tion of this approach under a specific choice of parameters which, given the state of the art of coding theory, we show in this work to be sub-optimal. Coron showed how to attack the Augot and Finiasz cryptosystem. A question left open is whether the general approach suggested by the cryptosystem works or not. In this work, we show that the general approach (rather than only the instantiation) is broken as well. Our attack employs the recent powerful list-decoding mechanisms.

1

Introduction.

Recently, in Eurocrypt 2003 [AF03], Augot and Finiasz presented a public-key cryptosystem that was based on the Polynomial Reconstruction problem (PR). This scheme suggests a general approach for designing such cryptosystems; their cryptosystem is an instantiation of this approach based on a specific choice of parameters.

Let us first review PR, which is a curve-fitting problem that has been studied extensively especially in the coding theoretic setting, where it corresponds to the Decoding Problem of Reed-Solomon Codes.

Definition 1 Polynomial Reconstruction (PR) Given a set of points over a finite field

{hzi, yii}ni=1, and parameters [n, k, w], recover all polynomialsp of degree less than k such that

p(zi)6=yi for at most w distinct indexes i∈ {1, . . . , n}.

Regarding the solvability of PR, we remark that unique solution can only be guaran-teed when w ≤ n−₂k (the error-correction bound of Reed-Solomon Codes). For such param-eter choices, the Berlekamp-Welch Algorithm [BW86] can be used to recover the solution in polynomial-time. When the number of errors w exceeds this bound, unique solution is not necessarily guaranteed. In this range, a decoding algorithm may output a list of polynomials that satisfy the constraints. This is called list-decoding and recently some breakthrough re-sults have been achieved in this field. The most powerful list-decoding algorithm is the one by Guruswami and Sudan, [GS98]. The algorithm will work for any number of errors such that w < n−p

(k−1)n. For choice of parameters beyond the Guruswami-Sudan solvability bound, no known efficient algorithm exists that solves PR (and [GS98] gives some indication why such an algorithm is not likely to be found).

∗_{Computer Science and Eng. Dept., University of Connecticut, Storrs, CT, USA,}

[email protected].

†_{Computer Science Dept., Columbia University, NY, USA}

!"

" " #%$'&')(*+',*$ "./"00 1 2 3 3 "4" 1 '.!"4% " " " 2 7

8'9 "

".!" 5'" 3

Figure 1: The Augot and Finiasz general approach for designing a pk-cryptosystem using the hardness of RS decoding.

Augot and Finiasz’s general approach (see figure 1) is to use a PR instance which is hard to solve (i.e., a highly noisy instance) as a public key, and to encrypt a message by scaling the given public key (i.e., multiplying the polynomial values by a scalar) and adding to the scaled instance the message which is represented as a slightly lower degree second PR instance which is solvable, yielding a PR instance representing the ciphertext. The receiver who knows the noise locations in the public key can recover the message. The approach allows key sizes that are much smaller than the traditional coding theoretic based public-key systems (i.e., the McEliece cryptosystem [McE78]). Further, direct use of the above mentioned decoding and list-decoding methods do not apply to breaking the cryptosystem (directly). To implement the approach of figure 1 one needs to specify: (i) the structure of the public-key, (ii) the structure of the error-vector, and in accordance (iii) the decoding method employed in decryption.

What we noticed is that while the public-key structure was chosen to be an unsolvable PR instance, the choice of the error-vector and the associated decoding method was sub-optimal considering the state-of-the-art of Coding Theory. The scheme was in fact, based on unique decoding (and not list decoding techniques) and did not consider probabilistic analysis to maximize the allowed entropy of the error-vector.

The scheme of [AF03] was recently broken by Coron [Cor03a, Cor03c] (without affecting the solvability of PR). The elegant attack presented in [Cor03c] is in fact a ciphertext-only attack that is built on the Berlekamp-Welch method and recovers the message, given knowledge only of the public-key and a ciphertext. A further modification of the scheme, using extension fields but essentially the same system, was suggested recently [AFL03] and was shown by Coron [Cor03b] to be vulnerable to essentially the same attack.

Coding Theoretic Motivation. The Augot-Finiasz cryptosystem employed unique decoding techniques rather than list-decoding techniques (assuming that unique decoding is what is needed for a correct cryptosystem — an assumption we refute herein). Moreover, they consider only worst-case analysis in the selection of the code parameters. Thus, their cryptosystem is sub-optimal in the above respects given the general approach outlined above.

This leaves open the question of whether this general approach works in principle, i.e., when one uses the optimal coding theoretic techniques and probabilistic analysis for the parameter selection.

rate of the error vector used during encryption and choose state-of-the-art list-decoding tech-niques to implement the Reed-Solomon decoding step for decryption. Regarding the optimiza-tion (maximizaoptimiza-tion) of the error-rate we make two key observaoptimiza-tions (1) the system of [AF03] employs a worst-case approach in selecting this parameter; a probabilistic approach (that we perform in this work) allows higher values. (2) the system of [AF03] employs Berlekamp-Welch RS-decoding for the decryption operation. We emphasize that more powerful decoding techniques can be employed that allow larger values for the error-rate parameter. Our method-ology is to use an extended set of tools both for design and analysis in order to get the best possible instantiations of the general approach. The tools include “list decoding” rather than unique decoding techniques (which we show to be still good for decryption, since decoding to a unique value is assured with extremely high probability over a large enough field, even when ambiguous decoding is allowed, cf. Lemma 5).

We develop our presentation as a ping-pong game between a cryptosystems designer and a cryptanalyst. To avoid any misunderstanding our goal is not to design a new cryptosystem, but rather using the design and cryptanalysis steps as a methodology for exploring the general approach.

First Step. Regarding our key-observation (1) we employ the tails of the hypergeometric distribution to show that the original scheme allowed too few errors in the error-vector to be used by the message encryption process. Thus the error-rate can be increased high enough to aid the designer to achieve instances of the cryptosystem where Coron’s analysis does not work. But, nevertheless we provide an alternative probabilistic analysis showing that the original attack of Coron would work almost always even in this modified (more noisy) version, thus aiding the cryptanalyst.

Second Step. Combining our key-observations (1) and (2) above, we discover the optimal setting for the sender error-parameter (“optimal” under the assumption that the Guruswami-Sudan list-decoding algorithm [GS98] represents the best possible decoding algorithm against Polynomial Reconstruction). We show that the optimal parameter setting, helps the designer and in this case Coron’s attack fails. To answer our question about the limit of the approach, we then present a new attack that is based on the Sudan and Guruswami-Sudan algorithms [Sud97, GS98]. Our attack, with overwhelming probability, breaks even the optimal parameter setting. This means that the general approach, outlined in figure 1, taken by Augot and Finiasz (rather than merely their non-optimal instantiation) breaks.

We believe that our results demonstrate how design and analysis of Coding theory based cryptography, must employ probabilistic methods and state of the art decoding techniques. Furthermore, our results and the attack of Coron demonstrate that PR-based cryptosystems that lack formal proofs of security by concrete reduction arguments, even when they seem to be related to PR, are potentially susceptible to coding theoretic attacks that do not imply any weakness in the PR problem itself. Note that, the private-key cryptosystem based on PR suggested by the authors in [KY02] was shown to be semantically secure under an intractability decisional assumption that bears upon the average-case PR (for choices of the parameters beyond the Guruswami-Sudan solvability bound). This cryptosystem (as well as the other cryptographic primitives in [KY02]) are not affected by the techniques of the present paper and of Coron’s [Cor03a, Cor03b, Cor03c] and breaking these designs seems to require significant advances in RS decodability.

cryptanalytic framework that we will employ. In section 3 we show how using probabilistic analysis we can improve the error-parameter of the encryption function and in section 4, using again probabilistic analysis, we show that this will not help securing the cryptosystem. In section 5 we proceed to show how to employ list-decoding techniques in order to optimize the parameter selection and we demonstrate how the optimal version can thwart Coron’s attack. In turn, in section 6 we show how the optimal variant also succumbs in a ciphertext-only attack. Finally the work is summarized in section 7.

2

Background: the Recent Polynomial-Based Public-Key

Cryp-tosystem

We review the recent developments, while setting up the necessary notations and interesting points regarding our investigation.

2.1 The Cryptosystem of [AF03]

The cryptosystem of [AF03] can be described in high level as follows:

1. The public-key is a PR-instance of parameters [n, k+ 1, W] for which (i) the hidden polynomial p is monic; (ii) solving the instance is considered hard. The public-key is a sequence of values in (IF×IF)n (while the locations of the error points is the secret key).

2. Encryption operates by first transposing (i.e., scaling the polynomial of) the public-key using a random value α ∈ IF (the encryption coefficient), and then adding to the transposed public-key the message (evaluated as a second polynomial represented as pairs of points using the same first coordinates as the points of the public key PR instance, with no errors), and finally adding some additional w errors. (In other words, the message is embedded in a second PR instance withw errors and added to the transposed public key). It follows that a ciphertext is a sequence of values in (IF×IF)n.

3. Decryption removes the points that correspond to public-key errors, i.e.,W points of the ciphertext. Decryption relies on the following two facts: (i) the remainingn−W points can be decoded into a polynomial p∗_{; (ii) due to the fact that the message polynomial}

is selected to be of degree less than the degree of the monic polynomial p hidden in the public-key, it follows that the recovery of p∗ implies the recovery of the encryption coefficientα. The message polynomial can be recovered aspmsg(x) =p∗(x)−αp(x).

We note that the points over which the polynomials are evaluated in a PR instance can be publicly known (thus the public-key and the ciphertext can be considered to be of size only |IF|n_).

In more detail, let z1, . . . , zn ∈ IF be arbitrary distinct elements of the underlying field,

where n∈ IN is a security parameter. The public-key of the system is a PR-instance that is generated as follows: first a random tuplehE1, . . . , Eniis selected that has exactlyW non-zero

randomly selected elements from IF. Second, a random polynomial p of degree less than k is selected. The public-key is set topk:={hzi, yii}ni=1 whereyi=p(zi) +Ei+zik fori= 1, . . . , n.

Remark. Observe that{hzi, yi−zkii}ni=1 is a random PR-instance with parametersn, k, W.

The encryption operation is defined with domain IFk _{and general range the set (IF×IF)}n_.

random tuple he1, . . . , eni is selected so that it has exactlyw non-zero randomly selected field

elements; a random elementα∈IF is selected as well. The ciphertext that corresponds tomsg is the sequence of pairs{hzi, y0ii}ni=1 defined as followsyi0 =αyi+pmsg(zi) +ei, fori= 1, . . . , n.

So far, the above represents a general approach. The exact choice of parameters (as a function of n, say) gives the specific system of [AF03].

The decryption operates as follows: let I ⊆ {1, . . . , n} be such that|I|=n−W and for all i∈Iit holds thatEi = 0 (from the selection of the public-key). Observe now that the sequence

of pairsC={hzi, yi0i}i∈I can be seen as a PR-instance with parameters [n−W, k+ 1, w]. Now

suppose that,

Condition #1 : w≤ n−W −k−1

2 ⇒n≥2w+W +k+ 1

This condition implies that the PR-instance has a unique solution that can be recovered by the unique decoding technique of Berlekamp-Welch algorithm. Given such solution p∗(x) it follows that the leading coefficient of p∗ _{will be equal to α (by construction, we have that}

the polynomial hidden into the public-key is monic and of degree k while the degree of the message polynomial is at most k−1). Then, the transmitted message can be recovered as follows pmsg(x) =p∗(x)−α(xk+p(x)).

A second condition is that W should be large, beyond the known bounds of list-decoding, to assure that a third party cannot simply get the error locations of the public key (and thus decrypt all ciphertexts). This condition is the base of the presumed security of the scheme.

2.2 A Cryptanalytic Framework

The Cryptanalytic problem that is the basic building block for mounting a ciphertext-only attack on the Public-Key Cryptosystem of [AF03] as described above is defined as follows:

Definition 2 Ciphertext-only Attack Problem (CAP) Given two sequences of tuples

X1:={hzi, yii}ni=1 and X2 :={hzi, yi0i}ni=1 and parameters n, k, w, W that satisfy the following

conditions

i. w≤ n−W−k−1

2 andW ≥n−

p

n(k−1).

ii. {hzi, yi−ziki}ni=1 is a random PR-instance with parameters [n, k, W].

iii. ∃α∈IF such that {hzi, yi0−αyii}ni=1 is a random PR-instance with parameters [n, k, w].

Goal. Find a list of values of polynomial-length that contains the valueα.

Any algorithm that solves CAP in polynomial-time can be turned into a ciphertext-only attack against the cryptosystem of [AF03], as the following proposition reveals.

Proof.: Observe that due to the definition of the cryptosystem the condition i of definition 2 is satisfied. Also if we set the public-key to be X1 and the ciphertext to beX2 it follows that

conditionsii, iii of definition 2 are also satisfied. Thus, we can apply (simulate) A onX1, X2

to obtain α. Now observe that due to conditions iii and i we can decode {hzi, yi0−αyii}ni=1

(using the Berlekamp-Welch algorithm) to obtain the transmitted message pmsg(x) (unique

solution). A guarantees polynomially many candidates forα, thus the above reduction will be successful in returning the plaintext with probability at most 1/poly. ut

2.3 Coron’s Attack

In [Cor03c], Coron presented an elegant ciphertext-only attack against the cryptosystem of [AF03]. We explain the attack briefly below and we show that in fact it can be seen as an algorithm to solve CAP (in fact our formulation of CAP above is motivated by the original attack and by further extensions of this idea in the sequel).

Let X1, X2 be an instance of CAP, withX1 ={hzi, yii}in=1 X2={hzi, yi0i}ni=1 and

parame-tersk, w, W, n. Due to conditioniiiof definition 2 it follows that there existp∈IF[x] of degree less thank and α∈IF, so thatp(zi)=6 yi0−αyi for at mostw indexes i.

The attack modifies the Berlekamp-Welch algorithm: Let E(x) be a monic polynomial of degree w such that E(zi) = 0 for exactly those indexes i for which p(zi) 6= y0i −αyi.

The existence of this polynomial is guaranteed due to the condition iii of definition 2. Let N(x) =p(x)E(x) be a polynomial of degree less thank+w.

Now consider the following system of equations

h

E(zi)(yi0−λyi) =N(zi)

in

i=1 (system 1)

that has as unknowns the 2w+k coefficients of the polynomials E, N. Observe that the above system (with λas a parameter) is not homogeneous (due to the fact that E is monic). Recall that all steps up to this point follow exactly the Berlekamp-Welch algorithm (modulo the unknownλvalue).

Now consider the slightly extended system below:

h

E0(zi)(y0i−λyi) =N(zi)

in

i=1 (system 2)

where E0_{(x) is a non-monic polynomial that has the same properties as E (i.e. E}0 _{and E}

have the same roots). It follows that system 2 defined above is homogeneous with 2w+k+ 1 unknowns. LetA2[λ] be then×(2w+k+ 1)-matrix of system 2.

Due to conditioniof definition 2 the number of equations nsatisfies

n≥2w+k+ 1

and thus system 2 has at least as many equations as unknowns.

Case 1 of the Attack. rank(A2[0]) = 2w+k+ 1 (i.e.,A2[0] is of full rank). It follows that there

It follows that if we substitute the value α forλin the matrix of the system 3, the matrix is singular since it accepts a solution (the polynomials E0_{, N) that is non-trivial. As a result}

the matrix of system 3, denoted by A3[λ], has the following property:

∃α∈IF : det(A3[α]) = 0

Now observe that the determinant of system 3 is a polynomial f(λ) := det(A3[λ]) that is

of degree at mostw+ 1 (because λis only involved in the part of the matrix of system 3 that corresponds to the polynomialE0).

Further observe that f(0) = det(A3[0]) 6= 0 because of our selection of A3[λ] to have the

property that A3[0] is the full rank minor of the matrix A2[0]. Thus, the value α is among

the w+ 1 roots of f and the output will be the list of roots of f. It follows that the above algorithm gives an efficient solution for the CAP problem.

Case 2 of the Attack. rank(A2[0])<2w+k+ 1. In this case one can find a non-trivial solution

of the systemA2[0] which defines two non-zero polynomials E0, N such that

[E0(zi)y0i=N(zi)]ni=1

Since y_i0 =α(p(zi) +zik+Ei) +pmsg(zi) +ei it follows that

[E0(zi)(α(p(zi) +zik+Ei) +pmsg(zi) +ei) =N(zi)]ni=1

Let I be the subset of{1, . . . , n} for which it holds that i∈I ⇐⇒(ei = 0)∧(Ei = 0). It

follows that

[E0(zi)p∗(zi) =N(zi)]i∈I

where p∗(x) =α(p(x) +xk) +pmsg(x). Recall that the degree of the polynomial N is less

than k+w and E0 is a polynomial of degree w; it follows that E0(x)p∗(x) is a polynomial of degree w+k.

Observe that |I| is a random variable (denoted by η) ranging from n−w−W to n− max{w, W}. Next consider this relation:

η > w+k (Sufficient Condition for Case 2)

Under the above relation, it follows that |I| ≥ w+k+ 1 and as a result the polynomials E0(x)p∗(x) and N(x) are equal. It follows immediately that p∗ = _EN0; naturally given p∗ we

recoverαimmediately and non-ambiguously (in fact, in this case we will even be able to recover the value of the secret-key).

Performing a worst-case analysis of the above, we know that η≥n−w−W and as a result the attack would go through as long as n−w−W > w+k⇐⇒n >2w+W +ksomething that matches condition #1 of the [AF03]-cryptosystem (cf. section 2.1) and thus the case 2 of the attack can be carried for the parameters of the cryptosystem (without even taking into account that η would be somewhat larger than its lower bound n−w−W).

On the other hand, it would be of interest to us to find a necessary condition for case 2 of the attack (the reason for this will become clear in section 3). This can be found by settingηto its highest possible value and requiring this to be greater thanw+k: η:=n−max{w, W}> w+k; this is equivalent to:

3

The Increased Error Case

The cryptosystem of [AF03] mandates that the number of errors introduced by the sender in the formation of the ciphertext is less or equal to n−W₂−k−1 (condition #1 of section 2.1), to ensure unique decoding in the reduced PR-instance that is obtained after removing the W locations that contain the errors of the Public-Key.

We observe that the bound on w is unreasonably low, for the following reason: many of the errors introduced by the sender will fall into the error-area of the public-key, and thus they will not affect the decryption operation (i.e., introducing a new error in an already erroneous location is a case where 1 + 1 = 1).

To see this better, we can think of the sender in the cryptosystem to be playing the following game: he selects w points out ofn and randomizes them. Since W of these points will be discarded by the receiver it follows that the number of the good points (out of the total n−W of good points) that will be randomized by the sender follow a hypergeometric

distribution with mean value n−W

n . It follows that the expected number of good points that

will be randomized by the sender arewn−_nW.

In order to ensure decoding for the decryption operation it suffices to force ˜e≤ n−W−k−1 2

where ˜e is a random variable that follows the hypergeometric distribution with mean n−_nW. Let w = n−W1

n +²

n−W−k−1

2 , for some ² > 0. Using the Chv´atal bound for the hypergeometric

distribution, [Chv79], we have that

Prob[˜e >(n−W

n +²)w]≤e

−2²2w _{=⇒Prob[˜e >} n−W −k−1

2 ]≤e

−2²2w

From the above, as long as ² < W/n, if we set w = n−W1 n +²

n−W−k−1

2 it follows that the

probability Prob[˜e > n−W₂−k−1] ≤ e−2²2w_{, and thus condition # 1 of section 2.1 will be}

satisfied in the probabilistic sense and decryption will succeed with probability 1−e−2²2w_.

We will concentrate on parameters s.t. W > w and w is selected as above. Consider for example the assignment n = 2000, k = 100, W ≥ 1556 (to avoid an attack with [GS98] on the public-key), e.g. we set W = 1600, and ² = 1/6; now observe that W/n = 0.8 > 1/6. The equation forwmentioned above yields w= 407. It follows that the probability of correct decryption is 1−e−240736 = 1−e−22 ≈ 1−2−31. Observe now that case 2 of Coron’s attack

would be foiled since the necessary condition fails:

n > w+ max{w, W}+k⇐⇒2000>1600 + 407 + 100⇐⇒false

Thus, by merely increasing the number of errors that the sender of the cryptosystem intro-duces during encryption (relying on randomization to allow decryption with very high proba-bility), we are capable of thwarting the analysis of Coron’s attack (in particular the analysis of case 2 of the attack). Observe that this is possible without any other modification of the cryptosystem whatsoever.

Nevertheless, this is only a temporary comfort as we will prove in the next section.

4

With High Probability Modified Coron’s Attack Succeeds

against Increased Errors

First, observe the error-increase we introduced in section 3 does not apply to case 1 of Coron’s attack. Indeed, one can show for any² >0 that

w= _n−W1

n +²

n−W −k−1

2 ≤

n−k−1 2

and the condition w≤(n−k−1)/2 is sufficient for case 1 to go through (that is, if we can apply it). Recall that case 1 of the attack only applies to the case det(A3[0])6= 0.

We will show that this in fact happens most of the times (a fact observed in practice in [Cor03c] but not proved). This means that the attack works even in the increased error setting of the previous section. Let us recall the matrix of system 2, as defined in section 2.3.

A2[λ] =

³

B2 C2[λ]

´

=

=

     

1 z1 . . . z1w+k−1 y10 −λy1 (y01−λy1)z1 . . . (y10 −λy1)z1w

1 z2 . . . z2w+k−1 y20 −λy2 (y02−λy2)z2 . . . (y20 −λy2)z2w

..

. ... . . . ... ... ... . . . ... 1 zn . . . znw+k−1 yn0 −λyn (y0n−λyn)zn . . . (yn0 −λyn)zwn

     

where B2 is a Vandermonde matrix of dimension w+k over the elements z1, . . . , zn; B2

corresponds to the coefficients of N(x); C2[λ] is a Vandermonde matrix of dimension w+ 1

over the elements z1, . . . , zn where its i-th row is multiplied by yi0 −λyi, for i = 1, . . . , n; C2

corresponds to the coefficients of E0(x). Recall that A2[λ] is a n×(2w+k+ 1) matrix. We

would like to prove that rank(A2[0]) = 2w+k+ 1 with overwhelming probability.

If rank(A2[0])<2w+k+ 1 then it follows that any (2w+k+ 1)-minor of A2[0] is singular.

Below we show that this event can only happen with very small probability (assuming that the underlying finite field IF is large — something that is assumed in [AF03]) thus we deduce that the first case of the attack would work almost always.

Theorem 4 Let P=Prob[rank(A2[0])<2w+k+ 1] be the probability that the rank ofA2[0]

is less than2w+k+ 1where the probability is taken over all possible choices for the given CAP instance out of which we construct A2[λ]. It holds that P≤2w/|IF| and the proof works even

if the first inequality of condition iof definition 2 is relaxed to only w≤(n−k−1)/2.

Proof.: First observe that due to the conditions i of definition 2 it holds that W > w (even under the relaxationw≤(n−k−1)/2). Suppose that the selection of the error-locations for a CAP instance is denoted by~r. Let J~r be a subset of{1, . . . , n} such that|J~r|= 2w+k+ 1

and J overlaps with all elements i∈ {1, . . . , n} that have the property ei 6= 0, as well as at

least one elementi0 ∈ {1, . . . , n} with the property ei0 = 0 butEi0 6= 0 (the existence of i0 is

assured by the factW > w). Let us now define a minor M~r of A2[0]

M~r=

³

1 zi . . . z_iw+k−1 yi0 yi0zi . . . yi0zwi

´

i∈J~r

We will show that for any~r,M~ris of full rank with very high probability over the remaining

coin-tosses that sample a CAP instance (even in the relaxed settingw≤(n−k−1)/2). Recall that we have thaty_i0 =αyi+pmsg(zi) +ei wherepmsg(x)∈IF[x] is a polynomial of degree less

thankand he1, . . . , eni is a tuple of Hamming weightw. Also that, yi =p(zi) +Ei+zik, where

hE1, . . . , Eni is a random tuple of Hamming weight W. It follows that every column among

colj :=hαzij((p(zj) +Ei+zik) +pmsg(zi) +ei)ii∈J~r j= 0, . . . , w

Now observe that we can view det(M~r) as a multivariate polynomial on the variables

α, e1, . . . , en, E1, . . . , En, a0, . . . , ak−1, b0, . . . , bk−1

where a0, . . . , ak−1 are the coefficients of p(x) and b0, . . . , bk−1 are the coefficients of pmsg(x).

These variables are either free, or bound to be 0 (e.g. if randomness ~r dictates that i0 is not among the error-locations of the public-key it holds thatEi0 is bound to be 0).

Without loss of generality we may assume that~randJ~rare selected so thate1, . . . , ew, Ew+1

are free variables (i.e. correspond to random error-locations); note that any other possibility would work in the same way. Now let us consider the following assignment to the multi-variate polynomial det(M~r):

(α= 1, e1=z1w+k, . . . , ew =zww+k, E1= 0, . . . , Ew = 0, Ew+1 =zww+1+k, Ew+2 = 0,

. . . , EW = 0, a0 = 0, . . . , ak−1 = 0, b0= 0, . . . , bk−1 = 0) =

It follows that det(M~r) takes the following value:

¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯

1 z1 . . . zw1+k−1 z1w+k z1w+k+1 . . . z21w+k

1 z2 . . . zw2+k−1 z2w+k z2w+k+1 . . . z22w+k

..

. ... . . . ... ... ... . . . ... 1 zw+1 . . . zww+1+k−1 zww+1+k zww++1k+1 . . . z2ww+1+k

1 zw+2 . . . zww+2+k−1 0 0 . . . 0

..

. ... . . . ... ... ... . . . ... 1 z2w+k+1 . . . zw₂w++kk−+11 0 0 . . . 0

¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯

The above determinant is non-zero (it can be seen easily as an application of well-known properties of Vandermonde matrices), and as a result the multivariate polynomial det(M~r) is

not the zero-polynomial. It follows from Schwartz’s Lemma, [Sch80], that the ratio of the roots of the non-zero multivariate polynomial det(M~r) is bounded from above byτ /IF whereτ ≤2w

is the total degree of det(M~r). ut

5

The Most General AF System Avoids Coron’s Attack

5.1 An “optimal variant” of the [AF03] cryptosystem

In this section we show that the number of errorsw introduced by the sender can, in fact, be increased further beyond the improved bound that we describe in section 3, by employing the proper decoding method for decryption (cf. figure 1). In particular, we make the following cru-cial observation: [AF03] requires that wis below the error-correction bound of Reed-Solomon Codes, so that the decryption (decoding) is unique. Nevertheless the introduction of random errors in a large enough finite field (such fields are utilized in [AF03]) suggests that uniqueness of decoding can be ensured far beyond the error-correction bound.

Lemma 5 Let {hzi, yii}ni=1 be a RS-Code codeword of a random message p ∈ IF[x] with

degree(p) < k that has e errors uniformly random distributed over IF, s.t. e < n−k. Then, the probability that it accepts another decodingp0 ∈IF[x]withp6=p0 is at most¡n

t

¢2

/(|IF|n−e−k)

(the probability is taken over all possible messages and noise corruptions).

Proof.: In the proof below we consider the valuesz1, . . . , zn fixed (as is customary). For some

n, kandt:=n−ewe denote byA1 the number of tuples from IFn that are partially corrupted

RS-codewords with at mosteerrors. Furthermore we denote byA2 the number of strings from

IFnthat are partially corrupted RS-codewords with at mosteerrors and accept more than one decoding.

First observe thatA1 ≥ |IF|n−t+k. This is easy to see since these are the number of degrees

of freedom for selecting then−t error points and thekcoefficients of a polynomial solution. In order to approximate A2 observe the following: let p, p0 ∈ IF[x] be the different ways

to decode a partially corrupted RS-codeword with e errors. Suppose that they overlap in m points; clearly m ∈ {0, . . . , k−1}. It follows that the total number of ways to select p, p0 is |IF|2k−m_{. For the remaining points the total number of ways to select them is |IF|}n−2t+m_{. It}

follows easily thatA2≤¡n_t¢2|IF|n−2t+m+2k−m=¡n_t¢2|IF|n−2t+2k.

It is clear from the statement of the Lemma that the probability that we would like to approximate equalsA2/A1. Now observe that,

A2

A1

≤ ¡n

t

¢2

|IF|n−2t+2k

|IF|n−t+k =

¡n t

¢2 |IF|t−k

this completes the proof. ut

Now observe that if the “message rate” is κ := k/n and the “error-rate” is ² := e/n, with κ, ² ∈ Q+ _{then it follows that the probability in lemma 5 is less than} 4n

|IF|(1−²−κ)n. As a

result, provided that IF satisfies |IF|1−²−κ >4 it follows that the probability of proposition 5 is “negligible.”

Optimal Parameter Setting & Modifications for the Cryptosystem of [AF03]. Tak-ing advantage of the above Lemma in conjunction with the observation of section 3, we can increase the error-parameterwfurther. We refer to our choice as optimal with respect to figure 1 under the basic assumption that the list-decoding algorithm of [GS98] represents the state of the art in RS-decodability.

Below we assume that the sender employs the algorithm of [GS98] for decryption. For this algorithm to work it should hold that ˜e <(n−W)−p

(n−W)kwhere ˜eis the number of errors introduced in the area of good points of the public-key due to the encryption operation. As argued in section 3, ˜eis a random variable following a hypergeometric distribution with mean wn−_nW. In our analysis below we will simply substitute ˜e for the expected number of errors. Note that this does not guarantee that the receiver will be capable of recovering the transmitted message “most of the times.” To guarantee this we would have to show that the probability

Prob[˜e < (n−W)−p

(n−W)k] is overwhelming (as we did in section 3), something that cannot simply be inferred from the fact that the mean of ˜eis less than (n−W)−p

(n−W)k; in order for the receiver to be able to decrypt most of the times we would instead require that the mean of ˜eis sufficiently lower than the bound (n−W)−p

Nevertheless, since we intend to cryptanalyze the resulting cryptosystem, we will opt for simply substituting ˜efor its mean, as this would only make our attack stronger. On the other hand observe that a public-key cryptosystem that works, say, half the times is still quite useful. Thus, substituting ˜eforwn−_nW we obtain

wn−W

n <(n−W)−

q

(n−W)k=⇒w < n−n

s

k n−W

We conclude that the optimal selection would allow the parameterwto be selected as high as:

w < n(1− s

k n−W)

The new bound above increases the number of errors that we can allow the sender to introduce, as long as W is selected appropriately:

Proposition 6 There are choices for W such thatW ≥n−p

n(k−1)and n(1−q_n−k_W)>

n−k−1

2 , as long as k≥5 and k/n≤1/16.

Proof.: The first inequality W ≥ n−p

n(k−1) can be written as W_n ≥ 1−qk−_n1 and it provides a lower bound for W/n. We will see that the second inequality yields an upper bound for W/n: indeed, n(1−q k

n−W) > n−k−1

2 can be rewritten as n+k2+1 > n

q

k n−W; to

satisfy this latter inequality it suffices to provide a W that satisfies n+k > 2nq k n−W, or

(n−W)(n2_{+ 2nk+k}2_{) > 4n}2_{k. The latter inequality is equivalent to n(n}2 _−2nk+k2_{) >}

W(n+k)2 or W_n < ₍(n_n+−k_k)₎22.

(n−k)2 (n+k)2 =

n2+k2+ 2nk−4nk n2_+k2_{+ 2nk} = 1−

4nk

(n+k)2 = 1−4

k/n (1 +k/n)2

It follows that we must show,

1−4 k/n

(1 +k/n)2 >1−

s

k−1

n ⇐⇒

s

k−1 n >4

k/n

(1 +k/n)2 ⇐⇒(1 +k/n) 4k−1

n >16(k/n)

2

⇐⇒(n+k)4(k−1)>16n3k2⇐⇒ (n+k)

4

n3 >16

k2 k−1

Given thatk≥5 we deduce that 20k≥16_kk₋2₁, thus it suffices to show that (n+k)4>20n3k, which is equivalent ton4−16n3k+6n2k2+4nk3+k4>0 which is true provided thatk/n≥1/16. On the other hand, observe that if k is very large it holds that _kk₋2₁ ≈k; thus we derive that ifκ:=k/nit holds thatκ should satisfyκ4_{+ 4κ}3_{+ 6κ}2_{−12κ+ 1>0; as an equation the}

left-hand-side has two real roots,κ = 1 andκ ≈0.0873; it follows that an upper bound for κ

is 1/11. ut

that n= 2500 and k= 101. Then, W should be selected in the range [2000, . . . ,2126]; if we make the choice W = 2063 then we can set w to be as high as 1298, whereas Coron’s attack would correct any value of w only up to 1199. Note that the gap of 99 elements between the bound of Coron’s attack and the assignment w = 1298 ensures that the application of the attack by removing 99 points at random would only succeed with probability less than (0.52)99_≈2−96 _{(since the ratio of the sender-introduced error points is ≈0.52).}

Corollary 7 Coron’s attack cannot be applied against the [AF03]-cryptosystem in the optimal parameter setting.

To draw a parallel to our exposition in section 2.2, we introduce the problem CAP+ to stand for the ciphertext-only attack problem of the optimal variant of Augot and Finiasz Cryptosystem, (the only difference from CAP being in the choice of w):

Definition 8 Ciphertext-only Attack Problem in the optimal parameter setting

(CAP+) Given two sequences of tuples X1:={hzi, yii}ni=1 and X2:={hzi, y0ii}ni=1 and

param-eters k, w, W that satisfy the following conditions

i. w < n(1−q k

n−W), and W ≥n−

p

n(k−1).

ii. {hzi, yi−ziki}ni=1 is a random PR-instance with parameters [n, k, W].

iii. ∃α∈IF such that {hzi, yi0−αyii}ni=1 is a random PR-instance with parameters [n, k, w].

Goal. Find a list of values of polynomial-length that contains the valueα.

As before we show that any algorithm that solves CAP+ can be used to mount a ciphertext-only attack on the cryptosystem of [AF03] (but now in the optimal parameter setting):

Proposition 9 Let A be an algorithm that solves CAP+ in polynomial-time. Then any mes-sage encrypted in the cryptosystem of [AF03] in the optimal parameter setting can be decrypted without knowledge of the secret-key in polynomial-time in the security parameter.

Proof.: Similar to the proof of proposition 3 with the difference that now Guruswami-Sudan’s algorithm, [GS98], should be employed instead of the Berlekamp-Welch algorithm. ut

In the Lemma below we give an upper bound on the value ofw(that is independent ofW).

Lemma 10 For any CAP+ instance, it holds thatn−w > p4

n3_(k−1).

Proof.: First observe that n−W ≤nqk−1

n =⇒

q

k−1

n−W ≥

4

q

k−1

n . Since w < n−n

q

k n−W =⇒

n−w > nq_n−k_W > nq_nk₋−_W1 ≥nq4 k−1

n =

4

p

n3_{(k−1). ut}

6

The Attack Against the General System Employing

List-Decoding

6.1 The attack

Let n, k, w, W ∈ Z and X1 = {hzi, yii}in=1, X2 = {hzi, yi0i}ni=1 be an instance of CAP+. We

denote ˆyi :=yi0 −λyi fori= 1, . . . , n, where λ is an unspecified parameter (free variable); to

set the parameter λto a specific value α we will write ˆyi[α].

According to the definition of a CAP+ instance we know that there exists a value α ∈IF (the “encryption coefficient”) and a polynomial p∈IF[x] of degree less than k (the “message polynomial”) that agrees with n−w of the pointshzi,yˆi[α]i. Definel:=n−w−1. Next we

consider the following system of equations on a set of unknowns {qj1,j2}j1≥0,j2≥0,j1+(k−1)j2<l

(called system 4):

∀i∈ {1, . . . , n} X

j1≥0,j2≥0,j1+(k−1)j2<l

qj1,j2z

j1

i yˆ j2

i = 0 (system 4)

Observe that any solution to system 4 above defines a bivariate polynomial Q(x, y) that satisfies the property degree_Q,x+ (k−1)degree_Q,y< l.

Lemma 11 The number of unknowns of system 4, is at least ₂₍l(l_k−₋1)₁₎.

Proof.: The number of unknowns can be easily seen to be equal to the following double sum:

bl−1 k−1c

X

j2=0

l−1−j2(k−1)

X

j1=0

1 =

bl−1 k−1c

X

j2=0

(l−j2(k−1)) =

=l(bl−1

k−1c+ 1)−(b l−1

k−1c+ 1)b l−1 k−1c

k−1 2 = (b

l−1

k−1c+ 1)(l− b l−1 k−1c

k−1 2 )≥

≥(l−1 k−1)(l−

l−1 k−1

k−1 2 ) =

l(l−1) 2(k−1)

u t

Recall that from proposition 6 we know that we only consider parameter choices that satisfy k/n≤1/16. For such range of parameters (and sufficiently largen) we, in fact, show:

Lemma 12 System 4 is not overdefined provided that n≥19 andk/n≤1/9.

Proof.: In order for system 4 to be not overdefined it suffices to show that,

l(l−1) 2(k−1) =

(n−w−1)(n−w−2)

2(k−1) ≥n

This can be satisfied provided that

(n−w−1)(n−w−2)≥2(k−1)n⇐⇒(n−w)2 ≥2(k−1)n−2 + 3(n−w)

Now observe that, 2₃(n−w)2 ≥ 2(k−1)n. Indeed (n−w)2 > p

n3_{(k−1) (from lemma}

10), and it holds that

q

n3_{(k−1)≥3(k−1)n⇐⇒} k−1

n ≤

Next consider the inequality 1₃(n−w)2 ≥3(n−w); it is equivalent ton−w≥9 which will be satisfied as long as p4

n3_{(k−1)≥9 which is true for n≥19.}

We conclude that

(n−w)2 = 2

3(n−w)

2₊1

3(n−w)

2 _{≥2(k−1)n+ 3(n−w)≥2(k−1)n−2 + 3(n−w)}

which completes the proof. tu

Subsequently we omit the appropriate number of unknowns from system 4, to equalize the number of unknowns and equations. This results in a square homogeneous system of n equations and unknowns that we call system 5. We denote the matrix of system 5 byA[λ].

Theorem 13 Let α ∈ IF be the “encryption coefficient” for a CAP+ instance as defined in item iii of definition 8. The matrix A[α] as constructed above is singular.

Proof.: Letα∈IF, p∈IF[x] be the solution of the CAP+ instance.

Recall that of the npoints {hzi,yˆi[α]i}ni=1, at leastn−w of them belong the graph of the

polynomialp, which is of degree less thank.

Let i0 be one of these points and consider the system that results after removing from

system 5 the equation below:

X

j1≥0,j2≥0,j1+(k−1)j2<l

zj1

i0yˆ

j2

i0 = 0

We will call the resulting system that has one equation less, “system 6.” It is immediate that system 6 is an underspecified homogeneous system. It follows that it accepts a non-trivial solution.

Now observe that any non-trivial solution to system 6 defines a bivariate polynomial R∈ IF[x, y] that has the following properties:

1. R is of degreesdx, dy that satisfydx+ (k−1)dy < l.

2. For any point i6=i0, such thatp(zi) = ˆyi[α], it holds that (x−zi) divides R(x, p(x)).

3. It holds thaty−p(x) dividesR(x, y) (whenR(x, y) is viewed as a univariate polynomial on y with coefficients in IF[x]).

Justification for Item 1. it follows from the definition of system 4: the degrees of any monomial xj1_yj2 _{ofR satisfyj}

1+ (k−1)j2 < l.

Justification for item 2. Since p(zi) = ˆyi[α] it follows that zi is a root of R(x, p(x)) and as a

result (x−zi) divides R.

Justification for item 3. Observe that the degree ofR(x, p(x)) is strictly less thanl=n−w−1 (by item 1). We have n−w−1 points among the {1, . . . , n} − {i0} that agree with p(x).

Using item 2, it follows that (x−zi) divides R(x, p(x)) for n−w−1 points. As a result the

degree ofR(x, p(x)) is at least n−w−1(=l), a contradiction, unlessR(x, p(x)) is exactly the zero-polynomial, something that implies that y−p(x) is a factor ofR(x, y) when the latter is seen as a univariate polynomial ony over IF[x].

To complete the proof now observe the following: because of item 3 above it follows that R(zi0, p(zi0)) = 0, and thus the equation that we omitted in order to construct system 6 from

the extended system 5, and since R 6= 0 it follows that system 5 for λ=α has a non-trivial

solution, thus it holds that A[α] is singular. ut

Since A[α] is singular, it follows that if we define the polynomialf(λ) := Det(A[λ]), α will be among the solutions off(λ). Thus we can solve CAP+ by computing all the (polynomialy many, by degree constraint) roots of f(λ).

Theorem 14 The probability P that the polynomialf(λ) = Det(A[λ]) is the zero-polynomial satisfiesP≤2s(n−l)/|IF|, where s=bl−1

k−1c (the maximum degree of the y-variable in any of

the columns ofA[λ]).

Proof.: First observe that due to conditioniof definition 8 it holds that W > w. Let us examine first the matrix of system 4.

A4[λ] =

   

1 z1 . . . z1l−1 yˆ1 yˆ1z1 . . . yˆ1z1l−1−(k−1) . . . yˆ1s yˆ1sz1 . . . yˆs1z

l−s(k−1) 1

..

. ... . . . ... ... ... . . . ... . . . ... ... . . . ... 1 zn . . . znl−1 yˆn yˆnzn . . . yˆnznl−1−(k−1) . . . yˆns yˆsnzn . . . yˆnsz

l−s(k−1)

n

   

Observe that the matrix of system 5, A[λ] results from the above matrix by removing a number of columns so that it becomes square. Since f(λ) = det(A[λ]) it follows that the probability thatf = 0 is bounded from above from the probability that det(A[0]) = 0. Observe that A[0] is a matrix as above with ˆyi substituted for yi0 (the ciphertext values) for all i =

1, . . . , n (and of course a number of columns removed so that it becomes square). Letube some parameter to be specified later. We sety0

i =zilfor alli= 1, . . . , uandy0i= 0

otherwise.

Observe that all columns of A[0] are of the form hzj1

i (y0i)j2iin=1 with j1+ (k−1)j2 < l.

Setting y0

i = zil for i = 1, . . . , u it follows that z j1

i (yi0)j2 = z j1+j2l

i . Observe now that for all

j1, j2, j10, j20 with j1+ (k−1)j2 < l and j10 + (k−1)j20 < l it holds that it cannot be the case

that j1+j2l =j10 +j20l, unless hj1, j2i =hj10, j20i. Assume j1+j2l =j10 +j20l. Sincej1, j10 < l

always it follows that j1=j10; as a result lj2=lj02, but this implies thatj2 =j20 also.

It follows that the first urows ofA[0] with the substitutiony0_i=z_il constitute an extended punctured Vandermonde matrix1 of dimensions (u×n). The remaining rows of this matrix are of the form

   

1 zu+1 . . . zlu−+11 0 0 . . . 0

..

. ... . . . ... ... ... . . . ... 1 zn . . . znl−1 0 0 . . . 0

   

We make the selectionu=n−l. It follows that the above matrix is of full rank. Also the first u rows ofA[0] with the substitutiony0_i=zl

i are also of full rank.

The above arguments suggest that there is a way to control the coin tosses of the sender in the cryptosystem so that the matrix A[0] becomes non-singular. To do this we were required to control u error-points. Since l =n−w−1, it holds that u = n−l = w+ 1. As a result it suffices that we control one additional error-location which happens always since W > w (following similar arguments as in the proof of theorem 4).

With a similar arguments as in the proof of theorem 4 we conclude that using Schwartz Lemma the probabilityPthatA[0] will be singular satisfies,P≤2s(n−l)/|IF|. This concludes

the proof. ut

1_{we call a matrixM, “extended punctured Vandermonde” if there is aD⊆IN andz}

1, . . . , zvpairwise distinct

elements of IF, so thatM’s columns are of the formhz1d, . . . , z d vi

T

7

Summary

In this section, we summarize our cryptanalytic results.

Given an instance of CAP+{hzi, yii}ni=1,{hzi, yi0i}ni=1 with parameters

n, k, w, W.

0. Setl:=n−w−1.

1. SelectD⊆IN×IN so that|D|=nand for allhj1, j2i ∈D,j1+ (k−

1)j2 < l

2. LetD~ =Dhj1[1], j2[1]i, . . . ,hj1[n], j2[n]i

E

, a lexicographic ordering of D.

3. Construct a (n×n)-matrixAso that its (i, i0)-entry equalszj1[i0]

i (y0i−

λyi)j2[i

0_]

.

4. Compute f(λ) := det(A[λ]) symbolically to obtain the polynomialf on λ. 5. Output all roots of f.

Figure 2: The algorithm that solves CAP+

First in figure 2 we overview the CAP+ algorithm that was presented in the previous sec-tion. Using this, the general cryptosystem based on Augot and Finiasz [AF03], even under the optimal choice of parameters is broken under ciphertext-only attacks. The breaking algorithm is summarized in figure 3.

Given the public-key and a ciphertext of the [AF03]-cryptosystem with parameters n, k, w, W.

1. ifw≤ n−k₂−1 invoke case 1 of Coron’s attack.

2. else invoke the CAP+ algorithm of figure 1, and recover the plaintext using Guruswami-Sudan algorithm (as described in proposition 9).

Figure 3: The attack against the Generalized Version of [AF03]-Cryptosystem.

Note that the attack outlined above is probabilistic and is guaranteed to work with very high probability as we have shown in theorem 4 (for case 1 of Coron’s attack), and theorem 14 (for CAP+ algorithm).

References

[AF03] Daniel Augot and Matthieu Finiasz, A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem, Eli Biham (Ed.): Advances in Cryptology - EURO-CRYPT 2003, International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, May 4-8, 2003, Proceedings. Lecture Notes in Computer Science 2656 Springer 2003, pp. 229-240.

[AFL03] Daniel Augot, Matthieu Finiasz and Pierre Loidreau,Using the Trace Operator to re-pair the Polynomial Reconstruction based Cryptosystem presented at Eurocrypt 2003, Cryp-tology ePrint Archive, Report 2003/209, 2003,http://eprint.iacr.org/.

[Chv79] Vasek Chv´atal, The tail of the hypergeometric distribution, Discrete Math, Vol. 25, pp. 285-287, 1979.

[Cor03a] Jean-Sebastien Coron, Cryptanalysis of a public-key encryption scheme based on the polynomial reconstruction problem, Cryptology ePrint Archive, Report 2003/036. http: //eprint.iacr.org/.

[Cor03b] Jean-Sebastien Coron, Cryptanalysis of the Repaired Public-key Encryption Scheme Based on the Polynomial Reconstruction Problem, Cryptology ePrint Archive, Report 2003/219. http://eprint.iacr.org/.

[Cor03c] Jean-Sebastien Coron, Cryptanalysis of a public-key encryption scheme based on the polynomial reconstruction problem, in Feng Bao, Robert H. Deng, Jianying Zhou (Eds.): Public Key Cryptography - PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 1-4, 2004. Lecture Notes in Computer Science 2947 Springer 2004, pp. 14-27.

[GS98] Venkatesan Guruswami and Madhu Sudan, Improved Decoding of Reed-Solomon and Algebraic-Geometric Codes.In the Proceedings of the 39th Annual Symposium on Founda-tions of Computer Science, Palo Alto, California, November 8-11, IEEE Computer Society, pp. 28–39, 1998.

[KY02] Aggelos Kiayias and Moti Yung, Cryptographic Hardness based on the Decoding of Reed-Solomon Codes, in the Proceedings of ICALP 2002, Lecture Notes in Computer Sci-ence, vol. 2380, Malaga, Spain, July 8-13, pp. 232-243.

[McE78] Robert J. McEliece.A public key cryptosystem based on algebraic coding theory. Jet Propulsion Lab, DSN Progress Report, 42(44), pp. 114–116, Jan-Feb 1978.

[McE03] Robert J. McEliece, The Guruswami-Sudan Decoding Algorithm for Reed-Solomon Codes, IPN Progress Report 42-153, May 15, 2003. http://ipnpr.jpl.nasa.gov/tmo/progress report/42−153/153F.pdf.

[Sch80] Jacob T. Schwartz,Fast Probabilistic Algorithms for Verifications of Polynomial Iden-tities, Journal of the ACM, Vol. 27(4), pp. 701–717, 1980.

[Sud97] Madhu Sudan,Decoding of Reed Solomon Codes beyond the Error-Correction Bound.